Linux-CIFS Archive on lore.kernel.org
 help / color / Atom feed
From: Steve French <smfrench@gmail.com>
To: abrosich@inogs.it
Cc: CIFS <linux-cifs@vger.kernel.org>
Subject: Re: Permission denied mounting a DFS share with multiuser options
Date: Tue, 3 Dec 2019 16:16:29 -0600
Message-ID: <CAH2r5mu5dedRmPQzRUH=E87J2txsBv3DiFYZLT-a_xYay=2czA@mail.gmail.com> (raw)
In-Reply-To: <5a987faff74646e68207e26e570a708669dd4103.camel@inogs.it>

Have you experimented with a newer kernel (e.g. Ubuntu 19 or the
download from the Ubuntu mainline kernel download site) to see if some
of Paulo's DFS fixes (e.g. a large set went in last year) help.

On Wed, Nov 27, 2019 at 6:20 AM <abrosich@inogs.it> wrote:
>
>
> Hello,
>
> I'm trying to configure a linux client (Unubtu 18.04.3) to mount a DFS
> share from a windows server 2019. Both machines are joined in the same
> Active Directory domain. I joined the linux client using the "realm"
> command and it works fine: for example I can login with ssh using AD
> credentials.
>
> The package cifs-utils is version 6.8.
>
> I start by saying that I have a little konwledge of the windows world
> and in particular of SMB, hence my question could by silly but I
> searched for days without find any solution.
>
> I found the following entries in the krb5.conf file (I suppose added by
> "realm" coomand):
> 3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (des-cbc-crc)
>    3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (des-cbc-md5)
>    3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (arcfour-hmac)
>    3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (aes128-cts-hmac-
> sha1-96)
>    3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (aes256-cts-hmac-
> sha1-96)
>    3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (des-cbc-crc)
>    3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (des-cbc-md5)
>    3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (arcfour-hmac)
>    3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (aes128-cts-hmac-
> sha1-96)
>    3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (aes256-cts-hmac-
> sha1-96)
>
> I created on the Domain Controller a user principal "linuxclientuser-
> cifs" and associated to it an SPN "cifs/linuxclient.fqdn@AD.DOMAIN". I
> exported the keytab file and added it in krb5.keytab where I have now
> the followind entries:
>
>   3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (des-cbc-crc)
>    3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (des-cbc-md5)
>    3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (arcfour-hmac)
>    3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (aes256-cts-
> hmac-sha1-96)
>    3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (aes128-cts-
> hmac-sha1-96)
>
>
> I use the following command to mount the share:
> sudo mount --verbose --types cifs //winsrv/CifsShare /mnt/cifs --
> options
> sec=krb5,multiuser,vers=3,user=cifs/linuxclient.fqdn,domain=AD.DOMAIN
>
> and the response is: "mount error(13): Permission denied"
>
> Looking at logs I find:
> Nov 27 13:07:18 linuxclient cifs.upcall: key description:
> cifs.spnego;0;0;39010000;ver=0x2;host=winsrv;ip4=XXX.XXX.XXX.XXX;sec=kr
> b5;uid=0x0;creduid=0x0;user=cifs/linuxclient.fqdn;pid=0x6ac
> Nov 27 13:07:18 linuxclient cifs.upcall: ver=2
> Nov 27 13:07:18 linuxclient cifs.upcall: host=winsrv
> Nov 27 13:07:18 linuxclient cifs.upcall: ip=XXX.XXX.XXX.XXX
> Nov 27 13:07:18 linuxclient cifs.upcall: sec=1
> Nov 27 13:07:18 linuxclient cifs.upcall: uid=0
> Nov 27 13:07:18 linuxclient cifs.upcall: creduid=0
> Nov 27 13:07:18 linuxclient cifs.upcall: user=cifs/linuxclient.fqdn
> Nov 27 13:07:18 linuxclient cifs.upcall: pid=1708
> Nov 27 13:07:18 linuxclient cifs.upcall:
> get_cachename_from_process_env: pid == 0
> Nov 27 13:07:18 linuxclient cifs.upcall: get_existing_cc: default
> ccache is FILE:/tmp/krb5cc_0
> Nov 27 13:07:18 linuxclient cifs.upcall: get_tgt_time: unable to get
> principal
> Nov 27 13:07:18 linuxclient cifs.upcall: handle_krb5_mech: getting
> service ticket for winsrv
> Nov 27 13:07:18 linuxclient cifs.upcall: handle_krb5_mech: obtained
> service ticket
> Nov 27 13:07:18 linuxclient cifs.upcall: Exit status 0
>
>
> where it says that it get the service ticket (I can see it sniffing
> packets with wireshark) but it is "unable to get principal". Which
> principal?
>
> On the server side I have the following error:
>
> A process has requested access to an object, but has not been granted
> those access rights. (0xC0000022)
> SPN: session setup failed before the SPN could be queried
> SPN Validation Policy: SPN optional / no validation
>
>
> What I'm doing wrong?
>
> Any suggest is welcome.
>
> Best regards
>
> Alberto
>
>


-- 
Thanks,

Steve

      reply index

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-27 12:20 abrosich
2019-12-03 22:16 ` Steve French [this message]

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAH2r5mu5dedRmPQzRUH=E87J2txsBv3DiFYZLT-a_xYay=2czA@mail.gmail.com' \
    --to=smfrench@gmail.com \
    --cc=abrosich@inogs.it \
    --cc=linux-cifs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-CIFS Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-cifs/0 linux-cifs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-cifs linux-cifs/ https://lore.kernel.org/linux-cifs \
		linux-cifs@vger.kernel.org
	public-inbox-index linux-cifs

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-cifs


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git